The previous fix for CVE-2024-43398 did not include patches
to provide context for the changes it made.
This caused an exception at run-time when ruby parsed
rexml/parsers/baseparser.rb. This was first observed when using
ruby-native to build the sdformat recipe.
With these additional backports, the sdformat build proceeds
successfully. The REXML library was also tested manually on-target
with a script that used REXML::Document.new file to parse an
XML file.
(From OE-Core rev: 6bf00fde2d4043c6b558733a33041ce5694342d3)
Signed-off-by: Rob Woolley <rob.woolley@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS
vulnerability when it parses an XML that has many deep elements that have
same local name attributes. If you need to parse untrusted XMLs with tree
parser API like REXML::Document.new, you may be impacted to this vulnerability.
If you use other parser APIs such as stream parser API and SAX2 parser API,
this vulnerability is not affected. The REXML gem 3.3.6 or later include the
patch to fix the vulnerability.
Reference:
https://security-tracker.debian.org/tracker/CVE-2024-43398
Upstream-patch:
7cb5eaeb22
(From OE-Core rev: f23d1bfca0ea57150c397bc2e495191fb61423d0)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS
vulnerability when it parses an XML that has many entity expansions
with SAX2 or pull parser API. The REXML gem 3.3.3 or later include
the patch to fix the vulnerability.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-41946
Upstream-patch:
033d1909a8
(From OE-Core rev: b0e74fd8922bba8e954a223ec46de5c33d2ff743)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS
vulnerability when it parses an XML that has many digits between &# and x...;
in a hex numeric character reference (&#x.... This does not happen with
Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby.
The REXML gem 3.3.9 or later include the patch to fix the vulnerability.
CVE-2024-49761-0009.patch is the CVE fix and rest are dependent commits.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-49761
Upstream-patch:
810d22852383ca5c4b0f51217dbcc67e4049f6a6fc6cad570b7712855547370666e314a579730f25ce59f2eb1a
(From OE-Core rev: 5b453400e9dd878b81b1447d14b3f518809de17e)
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
The presence or lack of nroff on the host was changing the doc type. Set it
explicitly to be deterministic and reproducible.
(From OE-Core rev: dd857d2519fd4f38c67a6fa0087f72798166467a)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit f5053abb8957acf358b518ee3c76146dc5f4eb6c)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
A buffer-overread issue was discovered in StringIO 3.0.1, as
distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through
3.1.4. The ungetbyte and ungetc methods on a StringIO can
read past the end of a string, and a subsequent call to
StringIO.gets may return the memory value. 3.0.3 is the main
fixed version; however, for Ruby 3.0 users, a fixed version
is stringio 3.0.1.1, and for Ruby 3.1 users, a fixed version
is stringio 3.0.1.2.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-27280
(From OE-Core rev: 729310d17310dff955c51811ff3339fdbc017b95)
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Upstream dropped capstone support and this also causing us
reproducibility issues.
(From OE-Core rev: fe8e54576e97ef7c4845889f3e8bb53f524c0611)
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit d2496a904a7099ef0de818180820ad7b40843a08)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Autobuilder workers were non-deterministically enabling capstone
depending on whether the worker had libcapstone installed.
Add PACKAGECONFIG for capstone with default off, since ruby does not
require capstone support.
(From OE-Core rev: 6db1eb67e7abb5c1c655ab5d2b4eeb73ae4af576)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Ruby 3.1.2 has been released.
This release includes security fixes.
CVE-2022-28738: Double free in Regexp compilation
CVE-2022-28739: Buffer overrun in String-to-Float conversion
(From OE-Core rev: ca1c990df62f1b3d53b2114a387f192efe7e38e8)
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 1306c732a39070e12306b0b7a393e2a482c8b326)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
refresh the following patches for 3.1.1:
0005-Mark-Gemspec-reproducible-change-fixing-784225-too.patch
0006-Make-gemspecs-reproducible.patch
(From OE-Core rev: 6ae009ae73fc81de441d57699fee61b6fcc48600)
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
An automated conversion using scripts/contrib/convert-spdx-licenses.py to
convert to use the standard SPDX license identifiers. Two recipes in meta-selftest
were not converted as they're that way specifically for testing. A change in
linux-firmware was also skipped and may need a more manual tweak.
(From OE-Core rev: ceda3238cdbf1beb216ae9ddb242470d5dfc25e0)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
recent change create a blank scope of DEPENDS for class-target,
basically leaving out all general dependencies, leading to the effect
that ruby will be shipped without the runtime dependencies of zlib,
openssl and libffi, making the corresponding gems unusable at runtime.
As the class-target scope should be appended only the correct override
is append:class-target
(From OE-Core rev: 8f92444d388d2406be7d317578908975784d3f22)
Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
In particular libffi was missing from native, which
led to linking with host libffi instead.
(From OE-Core rev: 293c9f879252a814107579542e8fca9af9dde599)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This fixes a build issue that started with 3.1 upgrade
Fixes
| ../ruby-3.1.0/vm_dump.c:916:38: error: use of undeclared identifier 'REG_S1'
| dump_machine_register(mctx->__gregs[REG_S1], "s1");
(From OE-Core rev: 1b0a88b6c31f85d70045a61f843302992ae7f94e)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
ruby's makefiles are rebuilding several items on every invocation,
even if nothing changed, all of which are factored into libruby.so
and cause it to be relinked as well. This does not seem to affect plain
make invocation, but does cause races in make install:
https://bugzilla.yoctoproject.org/show_bug.cgi?id=14695
Rather than figure out how to use make properly and convince upstream
of it, let's just do serial installs and file a bug:
https://bugs.ruby-lang.org/issues/18506
(From OE-Core rev: 1dc5cdf683133d210658eba9a619b737ec95cfe3)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Turn on "link external modules statically" option
as otherwise ruby installer tries to do additional
building inside installed module directories in do_install
which fails horribly.
License-Update: additional MIT/BSD items
(From OE-Core rev: 4d4485442830bb52b152f0419f4ff9f1d581d46a)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The issue is reported upstream:
https://bugs.ruby-lang.org/issues/18456
Otherwise I do not feel that further investigation of rdoc's parser to find
out the source of non-determinism is worth the time.
(From OE-Core rev: 208021f7212a8a790c350ccca720695c5bcbb1ca)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Do not tweak a file that is no longer installed.
(From OE-Core rev: 1af0c4ef56d1892f284b6787ccc5a925d023e178)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
It is incompatible with openssl 3 in currently released versions, and given
very marginal use of ruby in oe, I do not think not having it matters.
(From OE-Core rev: 7a477de350eaf7095745db81fb03e7ab20188f5a)
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Apply some changes on the Ruby makefiles in order to fix the reproducibility:
- use a fixed timestamp,
- sort linked objects,
- doesn't use the current date,
- and use UTC date.
[YOCTO #14268]
(From OE-Core rev: 59b07ab51ff932a4632a31675445ba4192bae36b)
Signed-off-by: Thomas Perrot <thomas.perrot@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
If we add DEBUG_PREFIX_MAP into LDFLAGS, ruby and ruby-dbg are no
longer reproducible. Fix this.
(From OE-Core rev: c34d5e409b291e69d6ff28ee71acba7055ef3f08)
Signed-off-by: Tony Battersby <tonyb@cybernetics.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
(From OE-Core rev: 42344347be29f0997cc2f7636d9603b1fe1875ae)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The coroutine implementation in ruby has either arch specific
implementations or it falls back to slower ucontext API based
implementation assuming libc will provide the needed APIs, however musl
does not implement ucontext APIs like glibc, therefore fallback is to
use libucontext library on musl. However, libucontext is not ported to
riscv yet. which means on musl/riscv ruby is unbuildable, however a
third option is to use copy implementation for coroutines, which will be
not as good performance-wise, but it will do the job, therefore for now
use copy implementation for rv32/rv64 when using musl
(From OE-Core rev: 3b2b401dbbb8d3aa14a5fd864178f702af3c8115)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Drop 0001-Modify-shebang-of-libexec-y2racc-and-libexec-racc2y.patch
as files removed upstream.
License-Update: formatting
Drop autoconf270.patch, as no longer needed with 3.0.0
(I verified against master-next which has the new autoconf).
(From OE-Core rev: 8fbf04053845aac24e0c0f1395051b60294e02a3)
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Drop a macro we don't need which was breaking with autoconf 2.70.
(From OE-Core rev: 995a0421ab39d62354e56f77eca10e2d176582d4)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The integrated Tcl/Tk module was removed in Ruby 2.4[1] back in 2016, so this
build dependency can be removed.
[1] 303dc3c591
(From OE-Core rev: 9f4e181924a83d7b26b11de765c202a9bd036f64)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
coroutines in ruby 2.7+ needs ucontext APIs which are not available in
musl but an external library is available to provide them so use it
Use cached values for ac_cv_func_isnan and ac_cv_func_isinf this is not
detected correctly by configure on musl
on ARM drop using old arm32 implementation of coroutine which is slow and
inefficient
(From OE-Core rev: 406e7a085b0650bdba9f19633dadb7e6ff0149e5)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
After update to 2.7.0, it fails to start ptest of ruby with errors:
| ./test/runner.rb:11:in `require_relative': cannot load such file --
/usr/lib64/ruby/ptest/tool/test/runner (LoadError)
and
| test/rdoc/test_rdoc_attr.rb: cannot load such file -- rdoc/version
| test/did_you_mean/spell_checking/test_key_name_check.rb: cannot load
such file -- /usr/lib64/ruby/ptest/lib/did_you_mean
Install the required files for the ptest.
(From OE-Core rev: be161be40c88fbac8ac17776daf3bf178a2e8f5e)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
0003-configure.ac-check-finite-isinf-isnan-as-macros-firs.patch
Removed since it is included in 2.7.0.
refresh the following patch:
0002-Obey-LDFLAGS-for-the-link-of-libruby.patch
add the following patch to solve build error:
0001-Modify-shebang-of-libexec-y2racc-and-libexec-racc2y.patch
[error message]
ERROR: ruby-2.7.0-r0 do_package_qa: QA Issue:
/usr/lib/ruby/gems/2.7.0/gems/racc-1.4.16/bin/y2racc contained in
package ruby requires /usr/local/bin/ruby, but no providers found in
RDEPENDS_ruby? [file-rdeps]
format of file COPYING is updated.
LEGAL notice information is updated.
(From OE-Core rev: 3cdf5da514b424a6d78ba4e1412331b6cf2b3bff)
Signed-off-by: Wang Mingyu <wangmy@cn.fujitsu.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
one of the build steps ruby has is that it generated rb_mjit_header.h
during configure using gcc preprocessor using -dD which emits built-in
defines as well, problem happens when this header is later included in
subsequent compiles, where compiler errors out stating that an existing
internal define is redefined
| /tmp/20200123-2021083-2c601q.h:13849:9: error: "__has_include" cannot be used as a macro name
| 13849 | #define __has_include __has_include
| | ^~~~~~~~~~~~~
| compilation terminated due to -Wfatal-errors.
Since compiler already will take care of it internally we can edit it
out from this header file
(From OE-Core rev: b4f0df9a0e998af746bcd84cb81ea4ba0107f989)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
There isn't anything specific about the target in these cases an in
general recipes should touch CFLAGS. This ensures people don't
copy/paste bad example usages. In reality, behaviour is mostly
unchanged.
(From OE-Core rev: ae6e7dd19b6da81090a38792dfdf31b459290466)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
